I can see that with Custom Script Extension it is possible to bootstrap new VMs (in Scale Set). To access a script it needs azure storage URI and credentials. This approach doesn't work for me because (internal policies) it's not allowed to pass storage credentials.
My VMSS has assigned service identity, the latter is registered with KeyVault. So, it is quite straightforward to get credentials directly on a box. But for this I need at least small bootstrap script =)
I found one hacky way how to achieve this through Custom Script Extension:
$bootstrapScriptPath = Join-Path -Path $PSScriptRoot -ChildPath "bootstrap.ps1"
$bootstrapScriptBlock = get-command $bootstrapScriptPath | Select -ExpandProperty ScriptBlock
$installScriptBase64 = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($bootstrapScriptBlock.ToString()))
"commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -EncodedCommand ', parameters('installScriptBase64'))]"
But I wonder whether there are better solutions.
Essentially I need something which Cloud Service provides - ability to upload payload and config settings.
SOLUTION
(note, this is for Windows VM. For Linux VM there is an easier way - thanks to @sendmarsh)
Please see below for actual implementation (note, I marked as answer a post from @4c74356b41 who suggested this idea).
First of all, I dont really see anything hacky, its a valid approach.
Another way to pass in data - using custom data property. It will be available as a file inside vm, I dont remember if its base64 encoded, but you can quickly figure it after provisioning.
Yet another approach is to use Managed Service Identity for the VM. that way you just assign VM proper permissions and it can download script from the storage without you passing them in explicitly.
Either way, you need to pass in your script to the vm and invoke it using a script extension. you can use custom image with script inside it. or you can have the script in the publicly available url so vm can always pull it and execute it (you need MSI to handle auth for you in this case).
Another thing you can do is pull certificates from KV directly inside the VM during. provisioning.